Bug 28490

Summary: python-aiohttp new security issue CVE-2021-21330
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-aiohttp-3.7.3-1.mga8.src.rpm CVE: CVE-2021-21330
Status comment:
Attachments: Simple server script
Simple server script
Simple client script

Description David Walser 2021-02-28 15:11:41 CET 
Debian has issued an advisory on February 27:
https://www.debian.org/security/2021/dsa-4864

The issue is fixed upstream in 3.7.4:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Mageia 8 is also affected.
David Walser 2021-02-28 15:11:51 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.7.4

Nicolas Lécureuil 2021-03-05 00:56:34 CET

Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)

Comment 1 Nicolas Lécureuil 2021-03-05 01:03:07 CET 
Fixed version pushed in mga8

src:
    - python-aiohttp-3.7.4-1.mga8

Status comment: Fixed upstream in 3.7.4 => (none)
Assignee: pterjan => qa-bugs

Comment 2 David Walser 2021-03-05 01:11:21 CET 
Advisory:
========================

Updated python-aiohttp package fixes security vulnerability:

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp is prone to an
open redirect vulnerability. A maliciously crafted link to an aiohttp-based
web-server could redirect the browser to a different website (CVE-2021-21330).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21330
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
https://www.debian.org/security/2021/dsa-4864
========================

Updated packages in core/updates_testing:
========================
python3-aiohttp-3.7.4-1.mga8

from python-aiohttp-3.7.4-1.mga8.src.rpm
Comment 3 Len Lawrence 2021-03-26 17:00:46 CET 
mga8, x64

CVE-2021-21330
No obvious reproducers available.

Test scripts at https://pypi.org/project/aiohttp/
Copied code from that site:
async_http_client.py and async_http_server.py (attached).
Ran these before update in separate terminals.

$ python aio_http_server.py
======== Running on http://0.0.0.0:8080 ========
(Press CTRL+C to quit)

$ python aio_http_client.py
Status: 200
Content-type: text/html; charset=utf-8
Body: <!doctype html> ...
$

There are other demos at https://github.com/aio-libs/aiohttp-demos/tree/master/demos

Updated the package and ran the simple server/client test.  Identical behaviour.
Giving this an OK for 64-bits.

$ rpm -q python3-aiohttp
python3-aiohttp-3.7.4-1.mga8

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Len Lawrence 2021-03-26 17:02:19 CET 
Created attachment 12524 [details]
Simple server script
Comment 5 Len Lawrence 2021-03-26 17:03:33 CET 
Created attachment 12525 [details]
Simple server script
Comment 6 Len Lawrence 2021-03-26 17:05:10 CET 
Created attachment 12526 [details]
Simple client script

Source: https://pypi.org/project/aiohttp/

Attachment 12524 is obsolete: 0 => 1

Comment 7 Thomas Andrews 2021-03-26 23:39:15 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-03-30 16:10:09 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-21330

Comment 8 Mageia Robot 2021-03-30 22:11:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0161.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED